• Home
• Download
• Documentation & Support
• Developers
• About Us

search OPeNDAP:

• Other Sources of OPeNDAP Software
• Data Sources
• Documentation
• Getting Started
• Project Information
• Presentations
• FAQs

Security Messages

14 May 2007

The 1.2.1 release of Hyrax - and BES 3.5.0 in particular - addresses some potential security issues. See Hyrax and BES for more information. We decided to replace the problematic software with a completely new implementation instead of issuing a patch.

27 April 2007, updated 3 May 2007

We learned of a security vulnerability in our Server3 data server (also know as our 'CGI-Based Server') and have released a patch for Server3 which you can get below. Versions 3.2.10 to 3.7.4 are affected by this vulnerability (these versions correspond to 12/31/2002 to 4/25/2007). The security vulnerability allows remote people to run arbitrary commands on a computer running the server. You can determine if you have been affected by this vulnerability by looking at you web server access logs (often found in /etc/httpd/logs/) for lines which contain evidence of people running commands.

The patch is available as a text file that explains how to modify the server so the exploit will no longer work. You can verify the integrity of the patch using the MD5 or SHA1 checksums:

• 'MD5 (server3-patch-05.01.2007.txt) = fadb4d90c93dce1cf9d5e522a0e1a5de'.
• SHA1: '854639242ce5829b180fa8e9e93752c651aa3e75 server3-patch-05.01.2007.txt'

Note: If you are patching your server and do not find the get_url() function in DODS_Dispatch.pm, then your server is not affected by the vulnerability - you're safe - and there's no need to patch.

Please contact us directly with any questions you have about the patch at security-help at opendap.org. This address is not a list; it will get your message directly to a developer.

If you would like general help in upgrading your server, or if you have more questions, you can contact the opendap-tech email list (you must subscribe first, see the mailing lists page) or our user support (support at opendap.org).

Once we have addressed the short-term issues presented by this problem, OPeNDAP will form a Security Working Group to develop a set of policies concerning general security issues and responses to problems. See Working Groups.

We apologize for any inconvenience this may cause you.